Reporting CSRF via Openbugbounty

Openbugbounty CSRF
                                                                                      Openbugbounty CSRF
The website is vulnerable to CSRF because there is no use of Anti-CSRF tokens in the website but the main focus of this post is how to submit a proper CSRF report via OBB because in the start OBB couldn’t reproduce the CSRF reports and they all went to the rejected section in my case and in result making this post. Not only for bounty but you’ll get the idea what important things we should keep in our mind when making a detailed CSRF report. The below cheat sheet by @alexlauerman really helped me understand the different scenarios of CSRF. (Full post here)
CSRF cheatsheet
Vulnerability: CSRF/XSRF (Cross site request forgery) Severity: Critical Owasp rank: (OTG-SESS-005) As per OBB our first required step is to create a proper XML report with 3 valid requests where first request will be the vulnerable POST request [below].
Vulnerable request
Some researchers also submit the GET request of the vulnerable link which is useless because it will not show the vulnerable form in it. Only submit the POST one (request no 5106 here) and delete rest of the junk requests from HTTP history. Second step, before submitting the exploitation request take a screenshot of the victim’s profile page (in Chrome). Here we’ve to configure burpsuite with chrome too because we’re using two browsers with two different accounts to exploit the vulnerability. You might encounter certificate errors with chrome so just export it manually because http://burp doesn’t work in some cases. For exploit right click on vulnerable request → Engagement tools → Generate CSRF PoC and save it as HTML [below] or you can manually write the exploit with takeover info.
In chrome victim’s account should be open, in new tab open the exploit, submit the exploit and intercept the request and just forward it. Now you’ve second required request in your HTTP history (request no 5200 here)
Exploitation request
Third request will be the page content on which the vulnerable form is so after exploitation just refresh or send GET request to the vulnerable page (request no 5202 here) and now we’ve three required request in history.
GET request/response with page content
Now take the screenshot of the victim’s profile page after successful exploitation. Go to burp and select all three request and give comment as per instruction and save the items in XML format. Fill up the required details like vulnerable link, screenshots, report, contact details in the submission form and yes, in comment section just write a steps to reproduce the vulnerability so that it becomes easy to check manually. Click on submit. Have a look at video PoC

Leave a Reply